This Page

This Wiki

3rd June 2018

FakeIKEd

FakeIKEd, or fiked for short, is a fake IKE daemon supporting
just enough of the standards and Cisco extensions to attack commonly
found insecure Cisco VPN PSK+XAUTH based IPsec authentication setups
in what could be described as a semi MitM attack. Fiked can
impersonate a VPN gateway’s IKE responder in order to capture XAUTH
login credentials; it doesn’t currently do the client part of full MitM.

Fiked is partially based on low-level ISAKMP packet manipulation
code taken from
vpnc
and uses
libgcrypt
and optionally
libnet.

The Attack

Basically, if you know the pre-shared key, also known as
shared secret or group password, you can play Man in the
Middle, impersonate the VPN gateway in IKE phase 1, and
learn XAUTH user credentials in phase 2.

This attack is notnew.
It has been known for a long time that IKE using PSK with
XAUTH is insecure, and this is not the first actual
implementation of the attack.

To successfully demonstrate an attack on a VPN site, you
need to know the shared secret, and you must be able to
intercept the IKE traffic between the clients and the VPN
gateway.

There are several ways to find out the shared secret,
including being a legitimate user, grabbing it from
some Cisco config file,
using ike-crack,
or layer 8 hackery.

There are also several ways to redirect the IKE traffic
to your running fiked instance, including ARP spoofing,
802.11 hostap, or layer 1 hackery.

Fiked builds and runs on FreeBSD, OpenBSD and Linux, and probably
other BSD variants too. MacOS X is reported not to work. Please
send me patches or problem reports. All you should need are the
library dependencies, a C99 capable GCC (3.2.x is fine), and GNU make.